DNS Zones Overview

A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority. A zone is a portion of a namespace. It is not a domain. A domain is a branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative for multiple DNS zones. A non-contiguous namespace cannot be a DNS zone.

A zone contains the resource records for all of the names within the particular zone. Zone files are used if DNS data is not integrated with Active Directory. The zone files contain the DNS database resource records that define the zone. If DNS and Active Directory are integrated, then DNS data is stored in Active Directory.

The different types of zones used in Windows Server 2003 DNS are listed below:

Primary zone

Secondary zone

Active Directory-integrated zone

Reverse lookup zone

Stub zone

Primary Zone: A primary zone is the only zone type that can be edited or updated because the data in the zone is the original source of the data for all domains in the zone. Updates made to the primary zone are made by the DNS server that is authoritative for the specific primary zone. Users can also back up data from a primary zone to a secondary zone.

Secondary Zone : A secondary zone is a read-only copy of the zone that was copied from the master server during zone transfer. In fact, a secondary zone can only be updated through zone transfer.

Reverse lookup zone: Reverse lookup zone is an authoritative DNS zone. These zones mainly resolve IP addresses to resource names on the network. A reverse lookup zone can be either of the following zones:

Primary zone

Secondary zone

Active Directory-integrated zone

Stub Zone: A stub zone is a new Windows Server 2003 feature. Stub zones only contain those resource records necessary to identify the authoritative DNS servers for the master zone. Stub zones therefore contain only a copy of a zone, and are used to resolve recursive and iterative queries:

Iterative queries: The DNS server provides the best answer it can. This can be:

The resolved name

A referral to a different DNS server

Recursive queries: The DNS server has to reply with the requested information or with an error. The DNS server cannot provide a referral to a different DNS server.

Stub zones contain the following information:

Start of Authority (SOA) resource records of the zone

Resource records that list the authoritative DNS servers of the zone

Glue address (A) resource records that are necessary for contacting the authoritative servers of the zone.

Zone delegation occurs when users assign authority over portions of the DNS namespace to subdomains of the DNS namespace. Users should delegate a zone under the following circumstances:

To delegate administration of a DNS domain to a department or branch of the organization.

To improve performance and fault tolerance of the DNS environment. Users can distribute DNS database management and maintenance between several DNS servers.

Understanding DNS Zone Transfer

A zone transfer can be defined as the process that occurs to copy the zone’s resource records on the primary DNS server to secondary DNS servers. Zone transfer enables a secondary DNS server to continue handling queries if the primary DNS server fails. A secondary DNS server can also transfer its zone data to other secondary DNS servers that are beneath it in the DNS hierarchy. In this case, the secondary DNS server is regarded as the master DNS server to the other secondary servers.

The zone transfer methods are:

Full transfer: When the user configures a secondary DNS server for a zone and starts the secondary DNS server, the secondary DNS server requests a full copy of the zone from the primary DNS server. A full transfer of all the zone information is performed. Full zone transfers tend to be resource intensive. This disadvantage of full transfers has led to the development of incremental zone transfers.

Incremental zone transfer: With an incremental zone transfer, only those resource records that have since changed in a zone are transferred to the secondary DNS servers. During zone transfer, the DNS database is on the primary.
DNS server and the secondary DNS server are compared to determine whether there are differences in the DNS data. If the primary and secondary DNS servers’ data are the same, zone transfer does not take place. If the DNS data of the two servers are different, transfer of the delta resource records starts. This occurs when the serial number on the primary DNS server database is higher than that of secondary DNS server. For incremental zone transfer to occur, the primary DNS server has to record incremental changes to its DNS database. Incremental zone transfers require less bandwidth than full zone transfers.

Active Directory transfers: These zone transfers occur when Active Directory-integrated zones are replicated to the domain controllers in a domain. Replication occurs through Active Directory replication.

DNS Notify: This is a mechanism that enables a primary DNS server to inform secondary DNS servers when its database has been updated. DNS Notify informs the secondary DNS servers when they need to initiate a zone transfer so that the updates of the primary DNS server can be replicated to them. When a secondary DNS server receives the notification from the primary DNS server, it can start an incremental zone transfer or a full zone transfer to pull zone changes from the primary DNS servers.

Understanding DNS Resource Records

The DNS database contains resource records (entries) that resolve name resolution queries sent to the DNS server. Each DNS server contains the resource records (RRs) it needs to respond to name resolution queries for the portion of the DNS namespace for which it is authoritative. There are different types of resource records.

A few of the commonly used resource records (RR) and their associated functions are described in the Table.

Resource Records Type

Name

Function

A

Host record

Contains the IP address of a specific host, and maps the FQDN to this 32-bit IPv4
addresses.

AAAA

IPv6 address record

Ties a FQDN to an IPv6 128-bit address.

AFSDB

Andrews files system

Associates a DNS domain name to a server subtype: an AFS version 3
volume or an authenticated name server using DCE/NCA

ATMA

Asynchronous Transfer Mode address

Associates a DNS domain name to the ATM address of the
atm_address field.

CNAME

Canonical Name / Alias name

Ties an alias to its associated domain name.

HINFO

Host info record

Indicates the CPU and OS type for a particular host.

ISDN

ISDN info record

Ties a FQDN to an associated ISDN telephone number

KEY

Public key resource record

Contains the public key for zones that can use DNS Security
Extensions (DNSSEC).

MB

Mailbox name record

Maps the domain mail server name to the mail server.s host
name

MG

Mail group record

Ties th domain mailing group to mailbox resource records

MINFO

Mailbox info record

Associates a mailbox for an individual that maintains it.

MR

Mailbox renamed record

Maps an older mailbox name to its new mailbox name.

MX

Mail exchange record

Provides routing for messages to mail servers and backup
servers.

NS

Name server record

Provides a list of the authoritative servers for a domain. Also provides
the authoritative DNS server for delegated subdomains.

NXT

Next resource record

Indicates those resource record types that exist for a name. Specifies
the resource record in the zone.

OPT

Option resource record

A pseudo-resource record which provides extended DNS
functionality.

PTR

Pointer resource record

Points to a different resource record, and is used for reverse
lookups to point to A type resource records.

RT

Route through record

Provides routing information for hosts that do not have a WAN
address.

SIG

Signature resource record

Stores the digital signature for an RR set.

SOA

Start of Authority resource record

This resource record contains zone information for
determining the name of the primary DNS server for the zone. The SOA record stores other zone property information,
such as version information.

Start of Authority (SOA) Resource Record

This is the first record in the DNS database file. The SOA record includes information on the zone property information, such the primary DNS server for the zone and version information.

The fields located within the SOA record are listed below:

Source host – the host for which the DNS database file is maintained

Contact e-mail – e-mail address for the individual who is responsible for the database file.

Serial number – the version number of the database.

Refresh time – the time that a secondary DNS server waits while determining whether database updates have been made that have to be replicated via zone transfer.

Retry time – the time for which a secondary DNS server waits before attempting a failed zone transfer again.

Expiration time – the time for which a secondary DNS server will continue to attempt to download zone information. Old zone information is discarded when this limit is reached.

Time to live – the time that the particular DNS server can cache resource records from the DNS database file.

Name Server (NS) Resource Record

The Name Server (NS) resource record provides a list of the authoritative DNS servers for a domain as well authoritative DNS server for any delegated subdomains. Each zone must have one (or more) NS resource records at the zone root. The NS resource record indicates the primary and secondary DNS servers for the zone defined in the SOA resource record. This in turn enables other DNS servers to look up names in the domain.

Host (A) Resource Record

The host (A) resource record contains the IP address of a specific host and maps the FQDN to this 32-bit IPv4 addresses. Host (A) resource records basically associates the domain names of computers (FQDNs) or hosts names to their associated IP addresses. Because a host (A) resource record statically associates a host name to a specific IP address, users can manually add these records to zones if they have machines that have statically assigned IP addresses.

The methods used to add host (A) resource records to zones are:

Manually add these records using the DNS management console.

Use the Dnscmd tool at the command line to add host (A) resource records.

TCP/IP client computers running Windows 2000, Windows XP, or Windows Server 2003 use the DHCP Client service to both register their names and update their host (A) resource records.

Alias (CNAME) Resource Record

Alias (CNAME) resource records tie an alias name to its associated domain name. Alias (CNAME) resource records are referred to as canonical names. By using canonical names, users can hide network information from the clients connected to their network. Alias (CNAME) resource records should be used when users have to rename a host that is defined in a host (A) resource record in the identical zone.

The mail exchanger (MX) resource record enables the DNS server to work with e-mail addresses where no specific mail server is defined. A DNS domain can have multiple MX records. MX resource records can therefore also be used to provide failover to different mail servers when the primary server specified is unavailable. In this case, a server preference value is added to indicate the priority of a server in the list. Lower server preference values specify higher preference.

Pointer (PTR) Resource Record

The pointer (PTR) resource record points to a different resource record and is used for reverse lookups to point to A resource records. Reverse lookups resolve IP addresses to host names or FQDNs.

Add PTR resource records to zones through the following methods:

Manually add these records with the DNS management console.

Use the Dnscmd tool at the command line to add PTR resource records.

Service (SRV) Resource Records

Service (SRV) resource records are typically used by Active directory to locate domain controllers, LDAP servers, and global catalog servers. The SRV records define the location of specific services in a domain. They associate the location of a service such as a domain controller or global catalog server with details on how the particular service can be contacted.

The fields of the service (SRV) resource record are explained below:

Service name

The protocol used

The domain name associated with the SRV records

The port number for the particular service

The Time to Live value

The class

The priority and weight

The target specifying the FQDN of the particular host supporting the service

The Zone Database Files

If the user is not using Active Directory-integrated zones, the specific zone database files that are used for zone data are:

Domain Name file: When new A type resource records are added to the domain, they are stored in this file. When a zone is created, the Domain Name file contains the following:

An SOA resource record for the domain

An NS resource record that indicates the name of the DNS server that was created.